The U.S. Senate recently proposed a cybersecurity disclosure bill that would require public companies to describe what cybersecurity expertise their boards have, or, if they don't have any, what steps the companies are taking to get some expertise onto their boards.
"It seems like a pretty simple and straightforward bill," said Chris Wysopal, CTO and CISO at Veracode. "It doesn't have anything onerous except some disclosures about the board. To me, it has a chance of passing."
The bill fits neatly into some research that Veracode conducted with the New York Stock Exchange, in which a surprising 90 percent of corporate board members said that regulators should hold businesses liable for breaches if they were negligent with customer data or failed to have reasonable security in place.
"But there's no clear guidance from the SEC or the FTC about what is reasonable security practices," he said. "Boards want to see more clarity there."
Companies already have many reporting and compliance requirements that impact spending on cybersecurity. In fact, according to a survey released just this week by the Ponemon Institute, the need to comply with privacy or data security regulations was the single biggest driver of the use of encryption technology.
There are already numerous federal laws and individual state disclosure requirements, but as the breaches keep coming, security experts expect that the amount of oversight will only continue to increase.
Take the Securities and Exchange Commission, which has recently been stepping up its cybersecurity-related activity.
In 2011, the SEC issued guidance requiring publicly traded companies to report cybersecurity risks alongside other kinds of material risks.
Vikram Bhat, leader of the strategy and governance practice for Deloitte Cyber Risk Services
"For listed companies, the guidance that was provided in 2011 is still the main focus that most are still using as a baseline," said Peter Dugas, managing director of government affairs at FIS’ Center of Regulatory Intelligence at FIS Global
For example, companies need to report if there are aspects of their business or outsourced functions that create cybersecurity risks, if they've had security incidents that have had impact on the company, and even the potential risks of long-term undetected attacks.
But the guidance leaves a lot open to interpretation.
There is a lack of clarity, said Sara Romine, attorney at Carrington, Coleman, Sloman & Blumenthal, L.L.P.
"We know that you don't have to disclose vulnerabilities so that you would be providing hackers information on where the company is vulnerable," she said. "But you know that you have to disclose enough that investors appreciate the nature of the risks facing the company. So where do you draw the line? How much do you have to disclose?"
And should a company report a data breach when it's not required to under other regulations, she asked.
"That is an area that I think the SEC will become even more interested in," she said. "If it's reasonably likely that a breach will lead to reduced revenues or have a material impact on the business, there would be some reporting obligations."
In the last couple of years, however, the SEC has turned its focus on Wall Street institutions.
For example, the SEC recently indicated that they were going to look at how brokerages are managing third-party risk, such as that from purchased software or cloud-based services.
"We're seeing that this is a new trend, and an important one," said Wysopal. "We're seeing more and more stuff moving to the cloud and being managed by third parties."
Last February, the SEC conducted a cybersecurity sweep examination that determined that 88 percent of broker-dealers and 74 percent of registered investment advisers had suffered cyberattacks either directly or through their vendors.
In the fall, the SEC announced that it will do a second round of examinations of financial services firms focusing on a number of cybersecurity topics including vendor management.
According to the SEC's Office of Compliance Inspections and Examinations, other areas of focus include governance and risk assessment, access controls, data loss prevention, training, and incident response.
"We expect continued scrutiny of the areas covered in past years, with new emerging risk areas being evaluated," said Glenn Siriano, financial services leader for KPMG Cyber at KPMG.
Those new areas include emerging technologies, new external threat vectors, deeper assessments of third-party vendors, usage of social media, and managing insider threats, he said.
And the SEC has been moving beyond conducting inspections and issuing guidance, said Dave Mahon, CSO at CenturyLink.
"They're beginning to get a better understanding that this is a bigger problem," he said. "They're trying to get their hands around it, and you're starting to see more audits."
For example, he said, there was the recent enforcement action against RT Jones, a regional investment company that had a breach that exposed client brokerage records.
In that case, the brokerage was fined $75,000 because for nearly four years the firm failed to adopt any written policies or procedures to ensure the security of personally identifiable information and to protect it from unauthorized access.
The SEC is adding teeth to its enforcement, confirmed Ernest Badway, co-chair of the securities industry practice at law firm Fox Rothschild LLP
"There have been several enforcement actions against a variety of broker dealers, investment advisers, and funds," he said.
The SEC's core objective is to protect retail investors, said Vikram Bhat, leader of the strategy and governance practice for Deloitte Cyber Risk Services at Deloitte & Touche LLP
"So investment firms, asset management firms, are likely to be the first wave of people who are likely to be examined," he said.
That will be the focus of the additional testing that is likely to take place this year, he said. But it won't stop there.
"In the end, this is all a push to raise the bar on cybersecurity across all institutions," he said.
While the regulators and legislators continue to struggle with the issue, the third branch of government, the judiciary, is also stepping up -- and may have an even bigger effect.
"When you see the board being sued for negligence, the board of directors is beginning to realize that that this is part of their governance and fiduciary relationships," said CenturyLink's Mahon.
"Things have changed a lot on the board level after the Target breach," said Torsten George, vice president of global marketing and product management at RiskSense. "It was a watershed event. The court sided with the consumers, and the court also sided with the consumers on the Windham Hotel suit. it also had major impacts on boards. those boards suddenly woke up."